Cap tu re T h e F l ag

Capture The Flag

Team Members: Winnona DeSombre, Jackie Faselt, Ramiro Sarabia, Charlie Yang

Executive Summary: During the Capture the Flag Game our team successfully found and exploited vulnerabilities in the given target server. The vulnerabilities identified included: weak password requirements, missing encryption of sensitive data, and cleartext transmission of sensitive information. Structural problems we found were use of an outdated, insecure operating system with too many open ports. These weaknesses have contributed to public cyber attacks such as the those associated with Hillary Clinton's 2016 campaign, as well as the Dyn denial of service attack. To create a more secure server we recommend that the owner should require stronger password requirements, encrypt sensitive data, and use a more secure OS.

Introduction: The goal of the Capture the Flag game was to to find and exploit vulnerabilities in a target server: 192.168.1.135 and also identify structural flaws in the system. During class time all of the teams were given the given the target server and we attempted to compromise the system by gaining access and leaving a note on the system desktop. No team was able to do this, however many other vulnerabilities were identified and information gathered. We used tools ranging from rdesktop to Burp Suite. Using these tools and others on our Virtual Machines we were able to find which commercial off-the-shelf (COTS) software packages were used as well as the four system users. The sections below provide information on the tools and methods used to make these finding as well as recommendations and policy implications.

Tools and Methods: This simulation did not require any sophisticated or premium software; all the tools that we ended up using were free or built into our systems. Using only six tools, we were able to find multiple vulnerabilities and gain access to the server in which the casino site was located.

Whois : showed that the system was running on a Windows 2008 server nmap: we used the command nmap -p 1-65535 -sV -sS -T4 192.168.1.135 to

identify which ports were open. Among the open ports was port 3000, which we

used to then access the website at 192.168.1.135:3000. Additional ports that were open are listed below:

sqlmap: We tried using sqlmap to identify sql injection vulnerabilities. Due to time constraints, however, we pursued other options for breaking into the system. Sqlmap also requires an http request url which we did not have.

Burp Suite: We used the free version of Burp Suite, a security testing software, to look at the packets being sent between us while communicating with the

server. This showed us that session IDs, credit card information, and other vulnerable information was being sent in plain text. Mac Built-in Server Connect: We attempted to see if we could access shared files on the server by using the built in Mac "Connect to Server" function. If we were able to establish a connection, we could determine that there were shared files on the server. Furthermore, if we were able to log in after establishing the connection, we could see what shared files were on the server. We were able to establish a connection, but were unable to login.

Chrome Developer Tools: By inspecting elements on the webpage in the casino site, we were able to find the credit card numbers of players stored in plaintext within the html.

rdesktop: We used rdesktop to access the Windows 2008 server where the casino was hosted. Once gaining access to the desktop administrator login using "p@ssw0rd" (thanks for the hint), we were able to find account users.

Findings:

Operating System: Windows Server 2008

Services / Open Ports: 135 (msrpc) 139 (netbios-ssn) 445 (microsoft-ds) 3000 (http) 21 (periodically) (ftp) Among others (see below)

Commercial Off-The-Shelf (COTS) Software Packages: Wireshark setup files Various executables for DDoS Nmap zenmap GUI Hxd - hex editor Hashcalc Hacme Server Casino START

Users: Administrator (whose password was p@ssw0rd) Sam student guest

Vulnerabilities: The target server had the following vulnerabilities (please note that the screenshots of vulnerabilities that we found with the tools we used are above):

CWE-521: Weak Password Requirements

Not only did the server have a password that was easy to guess, but the website itself imposed only a minimum password requirement of 5+ characters. This is seen when one tries to register an account for the casino site at . To mitigate this vulnerability the owner of the server should impose Minimum and maximum password length requirements and mixed character set requirements. We also recommend expirations for passwords.

CWE-311: Missing Encryption of Sensitive Data/ CWE-319: Cleartext Transmission of Sensitive Information

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download